Wednesday, June 13, 2012

You just can't trust wireless: covertly hijacking wifi and stealing passwords using sslstrip

NOTE: The following post (and all post on hakinthebox) are for educational purposes only. Do not perform any of these activities unless you have permission to do so.

Today we're going to talk about utilizing sslstrip together to steal passwords. For this i'm going to be using my WiFi Pineapple Mark IV, which is a very handy little box and I highly recommend having one for your wireless pentesting.

First we need to install sslstrip on the pineapple. For this we will use a USB thumb drive to give it the additional space needed for the installation. Fortunately for us, with the most recent firmware installing sslstrip is quite simple and can be done simply through the web interface.

Click on the Pineapple Bar and select "list available infusions (aka modules)".

Go through all the modules until you find the sslstrip module and click on the "Install" link. This will prompt you to select whether to install it on internal storage or on the USB storage.

Once sslstrip is installed it will put a new line in the pineapple bar labled "sslstrip", go ahead and navigate to it and start up sslstrip by clicking the start button.

Now that we have sslstrip running we just need to grab some passwords. I used my laptop and connected to my pineapple's wireless network. Let's use Facebook for our example.

By default Facebook defaults to HTTPS connections, but because we have sslstrip doing its magic it sends the connection from the pineapple to the victim's computer as HTTP.

Once the victim logs in they still get access and can go on with their day, but moving back to sslstrip we notice that we've grabbed the e-mail address and password.

Combining sslstrip and karma gets even more alluring as karma can advertise itself as any access point that a computer sends a request for. Taking it a step farther and adding a de-auth script in that disconnects everyone that's not connected to you and you've got a recipe for harvesting passwords from every wireless user around you. No cracking necessary.

Saying you could do just as much with a rasp pi is a pretty retarded argument to me. For every person who is actually bold enough to try stuff and share it publicly there are 100 guys who think they're better because they could "do it better".If you can do all that with a pi, DO IT, write it up, and start contributing something besides retarded comments.

And for what it's worth, I have both a raspi and a pineapple. Love them both. The pineapple really is a well done project, and works GREAT.

There are a few ways...The first is to be vigilant and make sure when you go to a website that it actually shows HTTPS:// before logging in. There's also a plugin called HTTPS everywhere that forces you to talk to certain websites only via HTTPS and won't allow it to redirect to a normal HTTP connection.

I wrote an article on this very matter just after I got my pineapple. What I came up with was to change the name of my WAP to a very unique SSID, then connect to it with my laptop, then change the SSID back to the original. Then I set that saved network as my preferred network. When my computer is out and about it sends out a broadcast beacon saying "Are you very_unique_SSID?", any nearby pineapple replies with a yes and it appears as though I am connected to that network. Then I set up a script to run every few minutes to check the SSID of the network I am currently using and if it matches my very_unique_SSID, then it pops up an alert on my screen advising me of a possible pineapple in the vicinity. Also, because you can add SSLStrip to the pineapple, SSL / HTTPS no longer works as a defence, so I recommend tunneling over SSH to be sure.

I don't know if you can help me with this. I followed your instructions; I click on "modules", followed by install. Now when I click on SSLSTIP (it’s in the dashboard area now, not modules mind you) after installing it, it again says it’s not installed, and gives me the option to install on either the Flash drive or the Pineapple itself. When I do that, it says installing, but nothing happens.There isn’t much info out there on the pineapple, so it’s hard to get good help.

No, I have not. But I wasn’t able to install in on the Pineapple itself without the USB plugged in. So I don’t know if that is THE problem, well it may be a problem but I don’t know if it’s necessarily causing the problem I inquired about

That could definitely be the problem. I don't remember how big SSLstrip is, but it could be bigger than the internal storage on the device. To be fair I didn't try to install it on internal storage, I did it directly on the USB from the start, so I could be wrong.

I am having the same problem. I click Install to USB and it says Loading. . . Then the screen flashes and it goes back to showing Not Installed. Same thing on 2 flash drives and on Install to Internal Storage. Any ides?

Here's a forum post where some people are having issues with their USB drives, so I'd recommend starting by checking all the basics outlined here: http://forums.hak5.org/index.php?/topic/25882-how-to-enable-usb-mass-storage-with-swap-partition/, BUT it sounds like your pineapple recognizes your USB drive (which I'm assuming is EXT4 formatted already), but won't install, right?

According to the other poster, they simply weren't able to use their USB stick and using their SanDisk worked. If you have a spare, I'd recommend giving that a shot.

The post is written in terribly a decent manner and it entails several helpful data on behalf of me. i'm happy to search out your distinguished manner of writing the post. currently you create it straightforward on behalf of me to know and implement the conception. many thanks for the post.recover deleted folder in outlook

There are a few ways. One is to make sure you're actually communicating via HTTPS. There are plugins that can help with this, such as HTTPS Everywhere. If you're trying to prevent a MITM from karma is to create an SSID on your machine that you know you don't access, such at KarmaAttackingYou and set it as your primary wireless connection (so it will connect to that SSID before any other). Then it's a matter of checking to make sure that SSID is not present.

Blogs that I follow

About Me

I'm an Information Security enthusiast, with a preference for researching offensive security (a.k.a the red team). Note that this blog is my own personal blog and in no way represent the opinions of my employers, my family, or anyone else. Also note that all information on this site is for educational purposes and you are responsible for your own actions. Hack responsibly.